Encrypted Media Extensions will kill the web

drm davidrichardmatthews at 420blaze.it
Sun Jul 9 14:12:00 PDT 2017


Amid Unprecedented Controversy, W3C Greenlights DRM for the Web

By Cory Doctorow
July 6, 2017

Early today, the World Wide Web Consortium (W3C) standards body publicly
announced its intention to publish Encrypted Media Extensions (EME)—a
DRM standard for web video—with no safeguards whatsoever for
accessibility, security research or competition, despite an
unprecedented internal controversy among its staff and members over this

EME is a standardized way for web video platforms to control users'
browsers, so that we can only watch the videos under rules they set.
This kind of technology, commonly called Digital Rights Management
(DRM), is backed up by laws like the United States DMCA Section 1201
(most other countries also have laws like this).

Today, the W3C announced that it would publish its DRM standard with no
protections and no compromises at all.

Under these laws, people who bypass DRM to do legal things (like
investigate code defects that create dangerous security vulnerabilities)
can face civil and criminal penalties. Practically speaking, bypassing
DRM isn't hard (Google's version of DRM was broken for six years before
anyone noticed), but that doesn't matter. Even low-quality DRM gets the
copyright owner the extremely profitable right to stop their customers
and competitors from using their products except in the ways that the
rightsholder specifies.

EFF objects to DRM: it's a bad idea to make technology that treats the
owner of a computer as an adversary to be controlled, and DRM wrecks the
fairness of the copyright bargain by preventing you from exercising the
rights the law gives you when you lawfully acquire a copyrighted work
(like the rights to make fair uses like remix or repair, or to resell or
lend your copy).

But EFF understood that the W3C had members who wanted to make DRM, so
we suggested a compromise: a covenant, modeled on the existing W3C
member-agreement, that would require members to make a binding promise
only to use the law to attack people who infringed copyright, and to
leave people alone if they bypassed DRM for legal reasons, like making
W3C-standardized video more accessible for people with disabilities.

This was a very popular idea. It was endorsed by Unesco, by the Internet
Archive, by the creator of the W3C's existing membership agreement, by
hundreds of top security researchers, by the competition expert who
coined the term "Net Neutrality", and by hundreds of human rights
organizations and activists from the global south. The Open Source
Initiative amended its definition of "open standard" so that DRM
standards could only qualify as a "open" if they protected legitimate

Now, it's fair to say that the W3C's DRM advocates didn't like the idea.
After a perfunctory discussion process (during which some progress was
made), they walked away from the negotiations, and the W3C decided to
allow the standardization work to continue despite their unwillingness
to compromise.

But other W3C members did like the idea. On March 12, the final vote for
publishing EME closed, and members ranging from the German National
Library to the UK Royal National Institute for Blind People to the
cryptocurrency startup Ethereum, to Brave, a new entrant to the browser
market -- along with dozens more—rejected the idea of publishing EME
without some protections for these equities (the numbers in the vote are
confidential by W3C's own membership requirements, but all the members
mentioned here have given permission to have their votes revealed.)

It was the most controversial vote in W3C history. As weeks and then
months stretched out without a decision, another W3C member, the Center
for Democracy and Technology, proposed a very, very narrow version of
the covenant, one that would only protect security researchers who
revealed accidental or deliberate leaks of data marked as private and
sensitive by EME. Netflix's representative dismissed the idea out of
hand, and then the W3C's CEO effectively killed the proposal.

Today, the W3C announced that it would publish its DRM standard with no
protections and no compromises at all, stating that W3C Director Tim
Berners-Lee had concluded that the objections raised "had already been
addressed" or that they were "overruled."

In its statement, the W3C said that publishing a DRM standard without
protections for core open web activities was better than not doing so,
because its DRM had better support for privacy, accessibility, and
competition than a non-W3C version of DRM would have.

We disagree. Even by the W3C's own measures, EME represents no
improvement upon a non-standards approach, and in some important ways,
the W3C's DRM is worse than an ad-hoc, industry approach.

At root is the way that DRM interacts with the law. Take security: the
W3C's specification says that users' computers should be protected from
privacy-invading activities by DRM vendors, but without a covenant, it's
impossible to check whether this is happening. Recall that Netflix, one
of the principal advocates for DRM at W3C, categorically rejected the
narrowest of covenants, one that would protect solely the activity of
revealing DRM flaws that compromised user privacy.

On the question of accessibility, the W3C has simply ignored the
substantial formal and informal objections raised by its members,
including members with deep expertise in accessibility, such as Vision
Australia, Media Access Australia, Benetech, and the RNIB. These
organizations pointed out that having a place for assistive data was
nice, but to make video accessible, it was necessary to use computers to
generate that data.

It's great to say that if you know where all the strobe effects are in
10,000,000 hours of videos, you could add warnings to the timelines of
those videos to help people with photosensitive epilepsy. But unless you
have an unimaginable army of people who can watch all that video, the
practical way to find all those strobes is to feed the video to a
computer, after bypassing the DRM. Otherwise, most video will never,
ever be made safe for people with photosensitive epilepsy.

Multiply that by the unimaginable armies of people needed to write
subtitles, translate audio, and generate descriptive audio tracks, and
you've exceeded the entire human race's video-annotating capacity
several times over—but barely scratched the surface of what computers
can (and will be able to) do.

On the question of competition, the W3C's response is even more
frustrating and non-responsive. EME only solves part of the
video-transmission standard: for a browser to support EME, it must also
license a "Content Decryption Module" (CDM). Without a CDM, video just
doesn't work.

All the big incumbents advocating for DRM have licenses for CDMs, but
new entrants to the market will struggle to get these CDMs, and in order
to get them, they have to make promises to restrict otherwise legal
activities (for example, CDM licensing terms prevent users in some parts
of Europe from seeing videos made available in other parts of the EU).

The W3C says that none of this makes DRM any worse than what was there
before the standards effort, but they're dead wrong. DRM is covered by a
mess of criss-crossing patents that make any kind of interoperable DRM
transcendentally hard to create -- unless there's some way of cutting
through the patent thicket. That's where the W3C comes in: its patent
policy requires members to swear not to enforce their patents against
people who implement W3C standards. Since the W3C's membership includes
key DRM patent owners, it's the one forum where such a standard can be set.

At EFF, we've spent decades defending people engaged in legitimate
activities that companies or governments disliked: researchers who go
public with defects in products whose users are blithely unaware of
them; new entrants to monopolized markets who offer better products with
features the cozy old guard don't like; public spirited archivists and
accessibility workers who want to preserve digital culture and make sure
everyone gets to use it.

We're dismayed to see the W3C literally overrule the concerns of its
public interest members, security experts, accessibility members and
innovative startup members, putting the institution's thumb on the
scales for the large incumbents that dominate the web, ensuring that
dominance lasts forever.

This will break people, companies, and projects, and it will be
technologists and their lawyers, including the EFF, who will be the ones
who'll have to pick up the pieces. We've seen what happens when people
and small startups face the wrath of giant corporations whose ire
they've aroused. We've seen those people bankrupted, jailed, and
personally destroyed.

That's why we fought so hard at the W3C, and it's why we're fighting so
hard to fix laws like Section 1201 of the DMCA. We've been suing the US
government over the constitutionality of DMCA 1201; in the coming
months, we'll be back at the US Copyright Office, arguing to maintain
and extend the exemptions to 1201 we won in 2015.

As for the W3C... we're working on it. There is an appeals process for
Tim Berners-Lee's decisions at the W3C, which has never been
successfully triggered. The entire project of designing technology to
control web users, rather than empowering them, has taken the W3C into
uncharted waters, and this is the most unfamiliar of them all. We're
looking into this, counting noses, and assessing our options. We'll keep
you informed.

More information about the cypherpunks mailing list